How a Bug in an Obscure Chip Exposed a Billion Smartphones to Hackers

Share

How a Bug in an Obscure Chip Exposed a Billion Smartphones to Hackers

Getty Images

If you haven't updated your iPhone or Android device lately, do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.

A vulnerability that pervasive is rare, for good reason. Apple and Google pile millions of dollars into securing their mobile operating systems, layering on hurdles for hackers and paying bounties for information about vulnerabilities in their software. But a modern computer or smartphone is a kind of silicon Frankenstein, with components sourced from third-party companies whose code Apple and Google don't entirely control. And when security researcher Nitay Artenstein dug into the Broadcom chip module that helps power every iPhone and most modern Android devices, he found a flaw that had the potential to completely undermine the expensive security of all of them.

Over the last weeks, both Google and Apple have rushed to patch that bug, which Artenstein calls Broadpwn. Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim's phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.

While the vulnerability is now patched–seriously, get that update–Artenstein says it also offers broader lessons about the fundamental security of our devices. The near-future of smartphone hacking may focus less on operating systems, says Artenstein, and more on insidious flaws in those peripheral components.

"We’re witnessing a process in which mainstream systems like the application processors running iOS or Android have become so hardened by undergoing intense security research that security researchers are starting to look into other directions," says Artenstein, who presented his findings at the Black Hat security conference and in a subsequent WIRED interview. "They’re starting to look for that breach in the wall where exploitation still isn’t that difficult." As hackers search for increasingly rare attacks that don't require any interaction from users, like opening a malicious page in a browser, or clicking a link in a text message, they'll focus on third-party hardware components like Broadcom's chips, Artenstein says.

Broadpwn

Artenstein, a researcher for the security firm Exodus Intelligence, says he has suspected for years that Broadcom's Wi-Fi chip might offer new avenues into the guts of a smartphone. After all, the "kernel" of a modern phone—the core of its operating system—is now protected by measures like address space layout randomization, which randomizes code's location in memory to prevent a hacker from being able to exploit it, and data execution prevention, which prevents hackers from planting malicious commands in data to trick a computer into running them. They're locked down tight.

But Broadcom's Wi-Fi controllers have no such protections. And they're found across manufacturers and operating systems, from the latest Samsung Galaxy devices to every single iPhone. "Obviously, this is a much more interesting attack surface," Artenstein said in his Black Hat talk. "You don’t have to repeat your work. If you find one bug, you can use it plenty of places."

So about a year ago, Artenstein began the painstaking process of reverse-engineering the obscure firmware of Broadcom's chips. He was aided, he says, by an unexpected leak of the company's source code he found on Github, which Artenstein suspects was accidentally published by one of Broadcom's partners. And as he dug through the code, he quickly found opportunities for trouble. "If you look at these systems you find bugs like you used to in the good old days," Artenstein said.

He eventually spotted one crucial bug in particular, hidden in Broadcom's "association" process, which allows phones to search for familiar Wi-Fi networks before they connect to one. One part of the beginning of that handshake process didn't properly constrict a piece of data sent to it by the Wi-Fi access point back to the chip, a bug known as a "heap overflow." With a carefully crafted response, the access point could send data that corrupts the module's memory, overflowing into other parts of the memory to run as commands.

"You malform it in a special way that gives you the power to write anywhere in memory," Artenstein explains. That sort of overflow is vastly harder to exploit when a hacker is remotely attacking randomized, protected memory of modern operating systems, but worked perfectly in the memory of Broadcom's Wi-Fi module on smartphones. "It’s a pretty special bug," Artenstein says.

Because the flaw existed in the part of the Broadcom code that handles automatic communications between the phone and an access point, the entire process of taking over a Wi-Fi chip could occur without the user noticing anything at all amiss. To make matters worse, the attack could repurpose Wi-Fi chip as an access point itself, broadcasting the same attack to any vulnerable phones within range to exponentially spread through the smartphone world.

Artenstein notes, however, that he didn't go so far as to write the part of the attack that would spread from the Wi-Fi chip to the phone's kernel, though he believes that final step would be possible for motivated hackers. "For a real attacker with resources, it would not be an issue," Artenstein says.

Weakest Link

That wasn't the first time that Broadcom's bugs have bitten the smartphone industry. Earlier this year, both Apple and Google had to rush out patches for another Broadcom Wi-Fi flaw, found by Gal Beniamini, a member of Google's Project Zero research team. Just as with Artenstein's attack, that flaw would have potentially allowed the takeover of practically any Android or iPhone in Wi-Fi range.

The potential severity of Artenstein's and Beniamini's attacks—which likely persisted undiscovered in phones for years—points to the danger of vulnerabilities in relatively unexamined components like those sold by Broadcom. (The company didn't immediately respond to WIRED's request for comment on the details of Artenstein's work.) Since around 2010, the cybersecurity world has become increasingly aware of the vulnerability of third-party chips, like the so-called baseband processors that handle smartphone telecommunications. But even as researchers vet baseband chips more thoroughly, others chips like those handling Wi-Fi, Bluetooth, or near-field communications have remained less strictly audited.

Qualcomm security engineering manager Alex Gantman, who sat in on Artenstein's Black Hat talk, argues that Qualcomm's widely used baseband chips don't suffer from quite the same lack of protection as Broadcom's chips. They do, for instance, implement data execution prevention, if not the memory randomization that protects operation system kernels. But he says that vulnerabilities like Broadpwn still show that device manufacturers need to not only consider the security of their third-party components, but to build in protections designed to limit the damage if they're hacked. "You have to treat a computer as a network, where it’s properly segmented, and if you get control of one component you don’t have control of the system," Gantman says.

Until the security of those components at the edge of your smartphone rise to the level of its operating system's core, hackers will keep probing them for in-roads, Artenstein says. He points to his and Google's Beniamini's simultaneous work as a sign that more such third-party component hacking may be coming. "That both of us were looking at this after years when no one looked means the landscape is changing," he says. "Attackers are starting to look into hardware. I think these attacks will increase."